Vulnerability Scanning & Assessment

# Vulnerability Scanning & Assessment

## Purpose

Enable Claude to perform comprehensive vulnerability assessments by directly analyzing dependency files, configuration files, and scan output — then generating prioritized, actionable reports. Claude identifies vulnerabilities, calculates risk, and prescribes remediation with version specifics.

---

## Activation Triggers

This skill activates when the user asks about:
- Scanning dependencies for known CVEs
- Auditing `requirements.txt`, `package.json`, `go.mod`, `pom.xml`, `Cargo.toml`
- Reviewing server configurations for security issues
- CVSS scoring or severity calculation
- Vulnerability assessment or security audit reports
- Checking software versions against known exploits
- Configuration hardening for nginx, Apache, SSH, Docker, Kubernetes
- NVD, OSV, or CVE database queries

---

## Prerequisites

```bash
pip install requests packaging jinja2 pyyaml
```

**Optional enhanced tools:**
- `nuclei` — Template-based vulnerability scanner
- `trivy` — Container and filesystem scanner
- `nmap` with NSE scripts — Network vuln scanning
- `openvas` — Full vulnerability management

---

## Core Capabilities

### 1. Dependency Vulnerability Auditing

Claude can directly read and analyze dependency files:

**When the user asks to audit dependencies:**

1. **Read the dependency file** using Claude's Read tool or ask the user to paste it
2. **Identify package manager** from file format:
   - `requirements.txt` / `Pipfile.lock` / `pyproject.toml` → Python/pip
   - `package.json` / `package-lock.json` / `yarn.lock` → Node.js/npm
   - `go.mod` / `go.sum` → Go modules
   - `pom.xml` / `build.gradle` → Java/Maven/Gradle
   - `Cargo.toml` / `Cargo.lock` → Rust/Cargo
   - `Gemfile.lock` → Ruby/Bundler
   - `composer.lock` → PHP/Composer
3. **Extract exact versions** for all direct and transitive dependencies
4. **Query vulnerability databases** — Claude can search NVD API, OSV, and GitHub Advisory Database for each package+version combination
5. **Calculate CVSS v3.1 severity** for each finding
6. **Check for available patches** — identify the minimum safe version
7. **Generate prioritized remediation report**

**Use this command to run the automated audit:**
```bash
python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json
python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical
```

**Claude's native analysis** — When running without scripts, analyze pasted dependency content directly:
- Flag packages with `>= `, `*`, or missing version pins (supply chain risk)
- Identify known high-risk packages (log4j, spring-core, struts, etc.)
- Cross-reference with CISA KEV (Known Exploited Vulnerabilities) catalog

### 2. Configuration Security Auditing

Claude can directly read and analyze configuration files:

**When the user asks to audit a configuration:**

#### Nginx Audit Checklist
```
[ ] ssl_protocols — Must NOT include SSLv2, SSLv3, TLSv1, TLSv1.1
[ ] ssl_ciphers — Must not include RC4, DES, MD5, EXPORT ciphers
[ ] server_tokens — Should be 'off' (hides version)
[ ] add_header X-Frame-Options — Required (SAMEORIGIN or DENY)
[ ] add_header X-Content-Type-Options — Required (nosniff)
[ ] add_header Strict-Transport-Security — Required (min 1 year)
[ ] add_header Content-Security-Policy — Required
[ ] autoindex — Must be 'off' (prevents directory listing)
[ ] client_max_body_size — Should be set (prevents DoS)
[ ] access_log / error_log — Must be enabled
```

#### SSH (sshd_config) Audit Checklist
```
[ ] PermitRootLogin — Should be 'no' or 'prohibit-password'
[ ] PasswordAuthentication — Should be 'no' (key-only)
[ ] PermitEmptyPasswords — Must be 'no'
[ ] Protocol — Should be '2' only
[ ] Port — Consider non-default port
[ ] AllowUsers / AllowGroups — Explicit allowlist preferred
[ ] MaxAuthTries — Should be 3-5
[ ] LoginGraceTime — Should be 30-60s
[ ] ClientAliveInterval — Enable session timeout
[ ] X11Forwarding — Should be 'no' if unused
[ ] UsePAM — Review PAM configuration
```

#### Docker/Dockerfile Audit Checklist
```
[ ] USER — Must not run as root; add non-root user
[ ] Image tags — Must not use 'latest'; pin specific digest
[ ] COPY vs ADD — Prefer COPY; ADD has implicit extraction risks
[ ] Secrets — No RUN commands with passwords/tokens
[ ] Multi-stage builds — Minimize attack surface
[ ] HEALTHCHECK — Define health monitoring
[ ] .dockerignore — Exclude .env, keys, secrets
[ ] Read-only filesystem — Use --read-only where possible
```

#### Kubernetes YAML Audit Checklist
```
[ ] securityContext.runAsNonRoot — Must be true
[ ] securityContext.readOnlyRootFilesystem — Should be true
[ ] securityContext.allowPrivilegeEscalation — Must be false
[ ] capabilities — Drop ALL, add only required
[ ] resources.limits — CPU and memory limits required
[ ] NetworkPolicy — Restrict pod-to-pod communication
[ ] ServiceAccount — Disable automount if not needed
[ ] secrets — Use sealed secrets or external vaults
[ ] hostPID/hostIPC/hostNetwork — Must be false
[ ] privileged — Must never be true in production
```

### 3. CVSS v3.1 Scoring

**When the user asks to calculate CVSS or assess severity:**

Claude can calculate CVSS v3.1 scores from the vector string or from a vulnerability description:

**CVSS v3.1 Metrics:**
| Metric | Values | Description |
|--------|--------|-------------|
| Attack Vector (AV) | N/A/L/P | Network/Adjacent/Local/Physical |
| Attack Complexity (AC) | L/H | Low/High |
| Privileges Required (PR) | N/L/H | None/Low/High |
| User Interaction (UI) | N/R | None/Required |
| Scope (S) | U/C | Unchanged/Changed |
| Confidentiality (C) | N/L/H | None/Low/High |
| Integrity (I) | N/L/H | None/Low/High |
| Availability (A) | N/L/H | None/Low/High |

**Severity Ranges:**
| Score | Severity |
|-------|----------|
| 0.0 | None |
| 0.1–3.9 | Low |
| 4.0–6.9 | Medium |
| 7.0–8.9 | High |
| 9.0–10.0 | Critical |

**Example calculation:**
- Remote unauthenticated RCE: `AV: